My friend brought their Nintendo Switch to my place a few days ago and we realized my home network was too restrictive to allow it to do online play. The home network runs a pfSense firewall/router, configured typically for the most part, but without UPnP & NAT-PMP service. Turns out, the Switch requires these in order to play many of the internet-enabled multiplayer games. This post just documents the things I did to get it working while keeping in mind the security concerns with these services.
I personally don’t like UPnP and can get along without it, normally. To start with, I tried a static IP and port forwarding a large range of ports but these changes didn’t seem to cut the mustard. So I ended up enabling UPnP and NAT-PMP to stop the Switch from complaining. Thankfully there are ACLs in pfSense for these services so I can control what members of the network can access the services.
1. Set a Static IP
Navigate to Services > DHCP Server and scroll to the bottom of the settings page to find the static mapping section. Click “Add” and fill out the static map for your switch. You will need to copy the MAC Address from the network settings of your own Nintendo Switch! Mine looks like this:
2. Enable Hybrid NAT Rules
Navigate to Firewall > NAT > Outbound and select “Hybrid Outbound NAT rule generation.” and save the settings change. The screen should look like this:
3. Create Outbound NAT Rule
While still in Firewall > NAT > Outbound after saving the change above you should be able to add new mappings to the list. Add a new rule to the bottom of the list using the second “Add” button. My outbound mapping rule looks like this:
4. Enable UPnP & NAT-PMP Services
Now navigate to and enable the UPnP and NAT-PMP services, configuring the service to deny clients by default and only allow for the Nintendo Switch’ static IP and ports it might need. My configurations look like this:
5. Check & Apply Network Settings
At this point you might need to double check that your changes have applied correctly. Your Nintendo Switch console has probably already been assigned an IP address by your previous DHCP settings, and this might require you clear the old DHCP lease info from pfSense and also to reset the console in order to get a new IP address. Once your Nintendo Switch is using the static IP you’ve set up you should be good to go!